16 days ago
Environment:
NestJS 10 backend deployed on Railway
Frontend on Vercel (
https://stash-frontend-pi.vercel.app)Monorepo with pnpm workspaces
Problem:
No matter what I configure in main.ts, the preflight response always returns Access-Control-Allow-Origin: https://railway.com. This value is not in my code anywhere.
I have tried:
Setting
CORS_ORIGINenv var in Railway dashboard tohttps://stash-frontend-pi.vercel.appHardcoding the origin directly in
app.enableCors({ origin: 'https://stash-frontend-pi.vercel.app' })Using raw Express middleware to set the header manually before any NestJS processing
All approaches result in the same response:
bash
curl -I -X OPTIONS https://stash.railway.app/v1/collections \
-H "Origin: https://stash-frontend-pi.vercel.app" \
-H "Access-Control-Request-Method: GET"
# Response always shows:
access-control-allow-origin: https://railway.com2 Replies
Status changed to Awaiting Railway Response Railway • 16 days ago
16 days ago
Hello,
Under no circumstances will we overwrite that header on our end; this is something on your end.
Here is a test site that allows me to pass in headers to be set on the server side, and, as shown, the CORS header is returned to me intact, without being overwritten.
Attachments
Status changed to Awaiting User Response Railway • 16 days ago
16 days ago
If the preflight request hits a route before CORS middleware, headers won’t be added.
Typical fix:
app.use(cors());
app.options('*', cors());
Placed before routes.